x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: GHSA-5grx-v727-qmq6

[GoVulnBot]

Advisory GHSA-5grx-v727-qmq6 references a vulnerability in the following Go modules:

Module
github.com/1Panel-dev/1Panel

Description:

Summary

There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs.
The proof is as follows

Details （one of them ）

...

References:

• ADVISORY: GHSA-5grx-v727-qmq6
• ADVISORY: GHSA-5grx-v727-qmq6
• FIX: 1Panel-dev/1Panel@ff549a4

Cross references:

• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-36457 #1887 NOT_IMPORTABLE
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-36458 #1888 EFFECTIVELY_PRIVATE
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-37477 #1940 EFFECTIVELY_PRIVATE
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-39964 #2004 EFFECTIVELY_PRIVATE
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-39965 #2005 EFFECTIVELY_PRIVATE
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-39966 #2006 EFFECTIVELY_PRIVATE
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2024-24768 #2531
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: GHSA-26w3-q4j8-4xjp #2613
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: GHSA-x2vg-5wrf-vj6v #2636
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2024-30257 #2734
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2024-34352 #2830

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/1Panel-dev/1Panel
      non_go_versions:
        - fixed: 1.10.12-tls
      vulnerable_at: 1.9.6
summary: 1Panel has an SQL injection issue related to the orderBy clause in github.com/1Panel-dev/1Panel
cves:
    - CVE-2024-39907
ghsas:
    - GHSA-5grx-v727-qmq6
references:
    - advisory: https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6
    - advisory: https://github.com/advisories/GHSA-5grx-v727-qmq6
    - fix: https://github.com/1Panel-dev/1Panel/commit/ff549a47937c1314e6ee08453a1d2128242440cd
source:
    id: GHSA-5grx-v727-qmq6
    created: 2024-07-18T15:01:15.281010694Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/599457 mentions this issue: data/excluded,data/reports: add 6 reports